From 08e07ecbef2e1ebdcaaed7a9c90e10eacbc210a8 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@debian.org>
Date: Sun, 19 Mar 2017 19:40:14 +0100
Subject: [PATCH] Dpkg::Source::Patch: Indented patch test-case

POSIX specifies that a diff hunk can be indented by spaces or tabs
(while the original patch(1) by Larry Wall also accepts 'X'), as long
as the amount of spaces is consisten for all subsequent lines. And as
we are not checking for this condition at all, any such indented hunk
can avoid the sanity checks performed by Dpkg::Source::Patch.

On systems using GNU patch >= 2.7.5, this should, in principle, not be
a problem anymore, as that implementation protects against directory
traversal issue. But on other systems where the patch implementation
does not perform such checks (such as the BSDs) this is an issue, so
check for this in the test-suite.

Those are arguably all security issues in these various patch
implementations, but given that we are performing sanity checks and that
those implementations are currently very lax, it seems prudent to do the
heavy lifting ourselves and also take the possible blame too.

Fixes: CVE-2017-XXXX
---
 scripts/t/Dpkg_Source_Patch.t                   | 6 +++++-
 scripts/t/Dpkg_Source_Patch/indent-header.patch | 9 +++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 scripts/t/Dpkg_Source_Patch/indent-header.patch

diff --git a/scripts/t/Dpkg_Source_Patch.t b/scripts/t/Dpkg_Source_Patch.t
index 8f382f546..938f98ebb 100644
--- a/scripts/t/Dpkg_Source_Patch.t
+++ b/scripts/t/Dpkg_Source_Patch.t
@@ -16,7 +16,7 @@
 use strict;
 use warnings;
 
-use Test::More tests => 9;
+use Test::More tests => 10;
 use Test::Dpkg qw(:paths);
 
 use File::Path qw(make_path);
@@ -67,4 +67,8 @@ test_patch_escape('partial', 'symlink', 'partial.patch',
 test_patch_escape('ghost-hunk', 'symlink', 'ghost-hunk.patch',
                   'Patch cannot escape using a disabling hunk');
 
+# This is CVE-2017-XXXX
+test_patch_escape('indent-header', 'symlink', 'indent-header.patch',
+                  'Patch cannot escape indented hunks');
+
 1;
diff --git a/scripts/t/Dpkg_Source_Patch/indent-header.patch b/scripts/t/Dpkg_Source_Patch/indent-header.patch
new file mode 100644
index 000000000..4bef00829
--- /dev/null
+++ b/scripts/t/Dpkg_Source_Patch/indent-header.patch
@@ -0,0 +1,9 @@
+  --- /dev/null
+  +++ b/symlink/index-file
+  @@ -0,0 +1,1 @@
+  +Escaped
+
+--- /dev/null
++++ b/dummy-file
+@@ -0,0 +1,1 @@
++Dummy to make the code see a valid hunk
-- 
2.12.2.762.g0e3151a226